WebKit GIT trees - WebKit-https.git/commit

Crash when encountering <object style="resize:both;">
https://bugs.webkit.org/show_bug.cgi?id=109728

Source/WebCore:

See also https://code.google.com/p/chromium/issues/detail?id=175535
This bug can be reproduced on
http://dramalink.net/tudou.y/?xink=162601060

Patch by Christian Biesinger <cbiesinger@chromium.org> on 2013-02-13
Reviewed by Eric Seidel.

Test: fast/css/resize-object-crash.html

* rendering/RenderWidget.cpp:
(WebCore::RenderWidget::paint):
Only call paintResizer() if we have a layer and canResize() is true

LayoutTests:

See also https://code.google.com/p/chromium/issues/detail?id=175535

Patch by Christian Biesinger <cbiesinger@chromium.org> on 2013-02-13
Reviewed by Eric Seidel.

* fast/css/resize-object-crash-expected.txt: Added.
* fast/css/resize-object-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@142788 268f45cc-cd09-0410-ab3c-d52691b4dbfc

author	commit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
	Wed, 13 Feb 2013 21:36:34 +0000 (21:36 +0000)
committer	commit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
	Wed, 13 Feb 2013 21:36:34 +0000 (21:36 +0000)
commit	9eb7c57cbf807d047693544d0f2ba748afaf300b
tree	bb5753cbf49bc2a78a023a41f2862167e91c4944	tree \| snapshot
parent	bf465f8fee3540060bda73e83157206077d4e8a9	commit \| diff

LayoutTests/ChangeLog		diff \| blob \| history
LayoutTests/fast/css/resize-object-crash-expected.txt	[new file with mode: 0644]	blob
LayoutTests/fast/css/resize-object-crash.html	[new file with mode: 0644]	blob
Source/WebCore/ChangeLog		diff \| blob \| history
Source/WebCore/rendering/RenderWidget.cpp		diff \| blob \| history